On 11/27, Serge E. Hallyn wrote:
>
> Quoting Oleg Nesterov (oleg@xxxxxxxxxx):
> > To all: sorry for noise, I can't comment this patch.
> >
> >
> > But Eric, could you please help me to understand? I am totally confused.
> >
> > So, afaics, initially (even after MS_KERNMOUNT) fs_fully_visible("proc")
> > should return false.
> >
> > After the normal "mout -t proc none /proc/" it becomes true.
> >
> > And it is still true after, say, "mount -t ramfs none /proc/sys" because
> > "ls -ld /proc/sys" shows ->i_nlink == 1.
> >
> > However, say, "mount -t ramfs none /proc/tty/" should make
> > fs_fully_visible() == F, because in this case ->i_nlink == 4.
> >
> > Correct?
> >
> > If yes, could you explain what this "!CAP_SYS_ADMIN && !fs_fully_visible"
> > check actually tries to prevent and why?
>
> The idea is that some admin on a host where /a/b/c/d exists, c/d should
> be hidden, so overmounts a tmpfs onto /a/b/c. In that case, an unpriv
> user could clone(CLONE_NEWUSER), then clone(CLONE_NEWNS), then umount
> /a/b/c and see /a/b/c/d. This patch was to try and prevent that.
Thanks Serge, but now I am even more confused... fs_fully_visible() is
only called by proc/sysfs_mount ?
Perhaps you meant that admin may want to hide something in /proc or /sys?
This is what I suspected initially, but see "mount /proc/sys" above...
I guess you can ignore me, I don't understand this at all. To the point,
suppose that /proc was never mounted, even in the root namespace. Then
how a sub-namespace mount it? fs_fully_visible() can't return true.
OK, sorry again for noise.
Oleg.
_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linuxfoundation.org/mailman/listinfo/containers
